@sleevi_ Does Chrome outright reject redacted certificates at the moment? Is there a place/page where this is documented/explained?
-
-
Well, in my experience with PKI, it’s not a requirement for something to be specified to work in practice. And the opposite happens to, specified things often don’t work.
-
TLS clients need explicit support for redaction because of how SCT signatures work. Without explicit support, the SCT will have an invalid signature. No different than if you tried to use a http://yahoo.com SCT with a http://google.com cert.
-
I never mentioned CT in my question! I merely wanted to know if Chrome actively tried to detect “redacted” certificates. For example, looking the 1.3.101.77 extension. I never got a reply to that, but both of you went on to explain to me how CT works :)
-
That’s just an OID off the Thawte arc though, and doesn’t appear in the final cert - so what would be rejected? Certs that aren’t CT qualified? We already did that for SYMC certs. Not because of redaction tho, except incidentally
-
There’s 1.3.101.77 in the cert on https://invalid-expected-sct.badssl.com My questions may have obvious answers to you, but that’s because you’re on the inside. From the outside, lots of stuff appears as random. I don’t even try to understand “why”, understanding behaviour is difficult enough :)
-
Ah right, forgot about the redacted commitment thing. In any event, understanding the why is the key to understanding or predicting the behavior :) Understanding the SCTs don’t match and Symantec/new certs need to be CT qualified makes it clear the rejection ;)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.